Musings on Information Security

Information security in bad economy

RaviC — Sun, 26 Oct 2008 19:37:40 -0700

Economy looks grim. The headlines are very discouraging. Capitalism does not guarantee wealth and success all the time. The talking heads on TV blame the greed in the stock market. I wish stock market is made of just computers that are not greedy human beings. These are bound to happen when there are human beings that participate! Money flows will eventually correct itself I hope, capitalism will be healthy again. This will take time. I am not an economist, but I do understand that people part with money for a period of time to collect higher return in the horizon based on their aptitude for risk. Simple is it not! But, all these complex financial instruments and its machinations seem to blur the reality and make even the brainiest act dumb - or are they just plain greedy?

Setting the context for this post, it is a tough economic situation all over the world. IT spending has reduced and will reduce significantly. In one of earlier posts, I had referred to information security as an overhead of an overhead (IT). What is a good approach for security practice in this type of economy?

I don't have a magic wand to pull a rabbit out of a hat. I have always been told that: tough economy is the time for real smart people to make money. Coming back to information security topic, with a bit of common sense, it is wise for information security professionals to offer services in those areas that does not involve capital expenditure. As a Security Manager, you may be already aware that your people are willing to go an extra mile in the current economic times.

- No budget or lack of budget, means no new capital expenditure. Spend time wisely in building a future technology strategy and keep it in the back pocket when the economy turns around.

- This is a good time to create roles/responsibilities and ownership for various areas. Create operating procedures. Make your team to automate tasks. This will help your operations become more efficient.

- This is time for security awareness education. Create pamphlets/brochures/presentations for an online or classroom training. Engage your and your team's time to impart training.

- Leverage already invested technology platforms. Leverage utilized features that reduce costs. If you have already invested in technology such as VMware, this is the time to get the best out of it. You can use VMware's toolkit to build your lab and staging environment and optimize on hardware cost.

- Off shoring has been the mantra of senior executives, this is the time to revisit those services and measure their performance closely and assess your satisfaction level. This is a good time to build a case for not off shoring if it makes sense.

- Companies are more vulnerable in bad economic times. You are in a better position to influence senior management about information security risks under these circumstances and drive home the value of protecting your intellectual property under these kinds of circumstances. management will be all ears for such a pitch.

- Time to engage your architect to optimize your security architecture, revisit standards and optimize design for cost efficiency.

- Revisit various controls and see if there are some risks that you could optimize spending on.

- Training budget is an unfortunate victim of this type of economy. Encourage employees to take free webinars offered by various security vendors and encourage them to share the summary across the team. This will put your employees in touch with latest happenings in security at the same time there is some learning that is imparted despite zero training budget.

- Since there are very few projects in action, this is a good time to have conversations with cross functional teams and educate them about your services and solicit feedback on how to do better.

- Revisit your vendor logistics and identify whether you can renegotiate some of your already existing contracts.

The above are some good ways by which you can optimize costs, this will also enhance your team's competence level in the long run. And this approach is better than letting people go, if you can pull this.

Building secure application

RaviC — Thu, 02 Oct 2008 06:35:44 -0700

Developers have the objective of building a functional application. They are focused on building more functionality into applications. Moreover, building security creates more workload for Developers which is a disincentive and moreover, Developers are rewarded for building more functionality than building more security. I have never seen a Developer in my professional life for being rewarded for building a secure application.

Hackers are focused on how to break the application. They look for weak links in application that will enable them to access application data. Developers usually follow process to build application, but Hackers have no process and all they have is multitude of possibilities. Hackers are innovative in trying various permutations in compromising the application.

A million dollar question is whether we can build secure applications when a Developer is focused on functionality but not on breaking the application?

There is a school of thought about Inside-out security where the application is built securely from scratch. Unfortunately, this approach won't suffice because hackers traverse Outside-in. A little reflection will highlight the importance of vulnerability scanning and penetration testing of application. This will bring the perspective of what developers do not know already.

Building a secure application inside out is not enough. In order to address unknown unknowns (or blind spots of developers), penetration testing should be done. Both whitebox style penetration testing (where components of an application is known) and also blackbox style penetration testing which mi micks an Hacker who may not have any knowledge of the application, should be carried out.

An application of higher level of security is not built just by Developers. It is built by integrative process of Developer mindset and Hacker mindset. This is a constant struggle for years to come.

The asymmetry of data loss - data thief has an upper hand

RaviC — Wed, 01 Oct 2008 06:33:22 -0700

I read this awesome book by Dan Geer, Economics and Strategies of Data Security. This gave me structure for my thoughts about a complex topic such as data security.

When a data owner's (a business) sensitive data is breached it is difficult to quantify the monetary loss. According to respectable survey sources, the average cost of sensitive data breach for a large size company is about $50,000. I am attempting here to think about this in simple mathametical terms:

There is a data breach. From the data owner's perspective the loss is:

Loss = Cost to protect data + Loss of business due to data theft aka cost of competitive disadvantage

From the data thief's perspective

Net Gain= [Cost of producing the data * Data freshness factor] - Cost to steal the data + Profit of business due to data aka gain of competitive advantage

From the above two equations it is very clear that this is not a zero sum game. There is a clear cost asymmetry for a data owner and for a data thief. When there is an asymmetry there is an opportunity. Data owner would not even know that the data is lost because the original copy of the data may be still intact - data thief could have simply copied the data. Data theft does not look like a car theft, there is no vacuum left behind.

This motivates a data thief to keep the cost to steal low, steal highly valuable data that has a long shelf life and in a way that data owner will never even be aware of theft.

From a data thief's perspective, the cost to steal data if kept high would disincentive him. Moreover, Data freshness factor, i.e. how valuable this data is over period of time plays an important role. A good example is content of today's newspaper is hardly valuable tomorrow, but the content of newspaper two days ahead (if can be procured)would be invaluable. Data relevance is a function of time and other marketplace variables - Data freshness Factor accounts for that variable. A good way to discourage data thief is to increase his/her cost to steal the data. There are other inferences from the above equation. If there exists no competitive advantage with the stolen data, hardly any thief would even venture to steal the data in the first place. If the cost of producing data is very low, then probably thief can just produce the data himself and would not attempt to steal the data. If the cost of theft is kept high, it would definitely deter the data thief from stealing data using technical mechanisms, then the data thief would exploit weak links in data security such as use of social engineering to get access to the data.

From data owner perspective protecting data becomes very important. How much would the owner be willing to spend? Not definitely the cost equal to cost of producing the data. 1% to 10% of cost of producing data is considered prudent. For a data owner it is difficult to estimate cost of data protection of a specific data, because it is not easy to chunkify data protection costs. Moreover, as Dan Geer says in his book, a data owner has to protect himself from number of intruders not just one.

It pays for a data owner to: be aware of data breaches (or data leaks), employ appropriate mechanisms to protect the data; the cost of protection which is fractional cost of the valuable data and enhance information security awareness of personnel who handle the data.

Data loss is not a zero sum game. The advantage is in favor of a data thief (data thieves rather). Data owner does not give much thought on the value of data unless there is a data theft. But, a data thief has every reason to think about economics of data theft before he acts to steal the data else data thief won't survive in this game and he is very well aware of his advantageous position.

Misc notes on IDS/IPS

RaviC — Sun, 28 Sep 2008 20:11:06 -0700

Chris Hoff's response on his blog Rational Survivability makes me happy on two fronts. The primary reason I started this blog was to use this medium as an outlet for my ungrounded ego. The other was to participate in the Security Blogging community which was then catching up when I started this blog 2 years ago. To get a response for my musings from brilliant minds such as Mike Rothman, Alan Shimel, Chris Hoff and others, gives me immense joy. May be this a good therapy for my undiagnosed attention deficit.

It does not matter if Chris is right or I am right. The outcome of IDS/IPS is all determined by random drift of market forces. There is no conspiracy to make IDS/IPS this way or that way. I would like to wrap up with a quote from Arthur Chandler : "We can tell when a technology has truly arrived when the new problems it gives rise to approach in magnitude the problem it was designed to solve".

Please contact Microsoft for Firefox problem? True but Funny Dialog Box

RaviC — Thu, 25 Sep 2008 06:23:47 -0700

IDS/IPS - is it Vitamins?

RaviC — Wed, 24 Sep 2008 18:35:22 -0700

Alan Shimel's post on "IDS - the beast that just won't die" triggered my hidden thoughts about IDS.

Rather than thinking about IDS as a piece of device/software that provides fancy features. Let me try to summarize some assertions about IDS:

IDS can capture tons of intrusion events, there is so much of don't care events it is difficult to single out event such as zero day event in the midst of such noise.

It requires tremendous effort to sift through the log and derive meaningful actions out of the log entries.

IDS needs a dedicated administrator to manage. An administrator who won't get bored of looking at all the packets and patterns, a truly boring job for a security engineer. Probably this job would interest a geekier person and geeks tend to their own interesting research!

There are companies that do without IDS, and they do just fine. I agree with Alan's assessment that IDS is like a Checkbox in most cases. Business can run without IDS just fine, why invest in such a technology?

Firewalls and other devices have built in features of IDS, so why invest in a separate product.

IDS is like Vitamins, nice to have, not having won't kill you in most cases. Customers are willing to pay for Pain Killers because they have to address their pain right away. For Vitamins, they can wait. Stop and think for moment, without Anti-virus product, businesses can't run for few days. But, without IDS, most businesses can run just fine and I base it out of my own experience.

Probably, I would have offended folks from the IDS camp. I have a good friend who is a founder of an IDS company, I am sure he will react differently if he reads my narratives about IDS. Once businesses start realizing that IDS is a Checkbox, they will scale down their investments in this area. In the current economic climate, financial institutions are not doing well. Financial institutions are big customers in terms of security products, with the current scenario of financial meltdown, they would scale down heavily on their spending on Vitamins.

Running IDS software on VMware sounds fancy. Technology does not matter unless you can address real world pain and prove the utilitarian value of such a technology. I am really surprised that IDS continues to exist. Proof of existence does not forebode great future. Running IDS on VMware does not make it any more utilitarian. I see a bleak future for IDS.

Cute names can't come to rescue

RaviC — Sat, 23 Aug 2008 23:26:05 -0700

Most of us have heard the conversations about looming threat to survival Fannie Mae and Freddie Mac. Their names are cute but it can't help fix a bad strategy of making money by dishing out bad loans.

I have had interaction with several security project managers who were very good in creating a buzz around their projects. Projects were given fancy names. The funniest project name I have heard was "Baby Rhino". One day I get an email in my inbox with a subject line which says: Baby Rhino Caputred! - The email got my attention, but the project did not gain any extra respect (because of the name) hardly there was any significant accomplishment in terms of its deliverable.

I would rather stick with project names that signify scope, relevance, meaning and value of a project. It is not bad to market a project, but trying to market a project without delivering value is a gimmick.

Taming of the Information Security

RaviC — Wed, 09 Jul 2008 06:33:15 -0700

In many mid-size to large organizations, information security grows up to become an unmanageable complex beast. In some cases, this happens consciously where information security goes out of control, but in other cases this happens unconsciously where there is a slow but incremental increase in the complexity of information security which leads to chaos.

The information security field is not yet fully mature; there is a lack of cohesive interoperable framework. The rapidly evolving landscape adds to the existing problem. There are several examples: Intrusion Detection System (IDS) was quickly overtaken by Intrusion Prevention System (IPS). On the Firewall arena: the focus has moved from perimeter security to end point security. There are some security visionaries who are preaching inside-out security approach i.e. building products with information security in mind from the beginning of product development.

Threats are moving higher up in the OSI stack making it harder to detect. Hackers are becoming more sophisticated – there are powerful free open source hacking tools available at their disposal. Security managers driving security initiatives without coordination can result in pieces of puzzle that don't fit well. Agency problem i.e. security managers thinking more about their personal advancement rather than security of the company is bad for the company’s security initiative. Security leaders who do not have a clear vision of security at the component level, the administration level and the strategy level can only make information security even more convoluted. The CISO and acting CIO of US Dept of Veteran affairs resigned after the breach in May, 2006 where personal data of 26 million veterans and more than 2 million service members was stolen. This clearly demonstrates the accountability and visibility of security leadership.

The attitude of IT security leaders and security team members has a significant impact on security. Reckless buying of information security technology can result in wasteful expenditure and very little gain in efficiency. Not understanding the business perspective of security issues or security perspective of business issues can lead to poor security decisions. Using security as a mechanism to gain control rather than using it as a tool to reduce risk can only diminish the perceived value of security initiative. Implementing security as an afterthought rather than building it into the framework not only result in poor architectural decision. Security investment is more like buying insurance. Thinking security as a vehicle providing an ROI can result in wrong expectation and lead poor decision. The business in which a company operates contributes largely to the perceived importance to security. Financial institutions usually have a higher bar on security because of the very nature of their business and their exposure legal liability. It is a good idea for many technology companies to emulate financial institutions to raise their information security bar.

It could be a pipedream to accomplish complete information security but accomplishing a well managed information security program is an attainable possibility.

Security Function as a Business Enabler

RaviC — Fri, 27 Jun 2008 20:50:58 -0700

In one of my earlier blog posts I branded Information Security function (as part of IT) as an overhead of an overhead. It is utmost important for security manager to run the security function in a way that it enables the business.

The various components (sub functions) of security organization should align with the business objectives of the IT and the whole organization. There needs to be a cohesive security strategy in order to align the various comoponents. One good way of understanding the business objective is why is the business parting with money for deploying a specific security component. Why is business giving me money for Compliance? Why is business giving me money to implement IDP? Constitutive questions such as these will help you to understand the fundamental concerns for the business and based on these we can come up with a strategy suitably aligned with the business.

One good example is the area of compliance. Attempting to make each every units of your business complaint with certain standards/legal regulations and so on would be a tall order. First define the scope, draw a circle around the units that need to be compliant, then come up with a strategy to make it compliant by formulating your objective - derived from the business objective of why the business gave you money.

Any security implementation effort should have a well defined focus (scope), business objective and strategy to bind the various components cohesively that aligns with the ultimate business objective. By this business will view security organization with dignity else security organization will end up being a spoke in the wheel of business.

In the past, I was involved in discussion about the ROI of information security and security is insurance and so on. After eating the forbidden apple from the tree of paradise, I realize security has neither ROI nor akin to insurance. Information security is way of doing business with due care. Security is way of enhancing the trust of a business among customers and thus enhancing the identity (or brand image of the company). Few years down the line people won't even question why you do security, it will become a part of your background conversation. Nobody questions why we buy hybrid vehicles anymore right?

If components of security function is not cohesively aligned with business objective it is spoke in the wheel of business else it is a brand enhancer of business.

The Order of Diminishing Returns

RaviC — Tue, 17 Jun 2008 21:41:37 -0700

This is a classic management term which does not need any introduction to many folks. The more money you pour into the security budget the more money will be spent in buying unneeded security products which can increase the complexity and reduce efficiency of your security operations. The start-up companies that I worked long ago had installed 5 layers of Firewall to prevent intruders. The security manager claimed to me that it is there to really protect the information assets, but sooner I realized these firewalls were not configured right and they were a set of a fireholes than a set of firewalls. Moreover, the maintenance costs in this type of complex security framework can be humongous. Imagine poor me debugging the firewall rules across these 5 layers of firewalls. But, one thing for sure the job security of security professional who implemented these complex security framework is guaranteed. In reality,the guy who implemented these 5 layers of firewall worked as a consultant for this start-up in the off hours and weekend!

In reality I have seen well run security organizations, they are lean and mean. They not only provide continuous security thought leadership for the entire organization but also implement security in a simple and efficient way. The graph below gives a visual picture of what I mean by order of diminishing returns.

On a related note I have identified four different states of security organizations considering competence of employees and budget availability. Of course there are in-between states. I have considered only the extremes:

Application Due Care

RaviC — Mon, 18 Feb 2008 08:55:12 -0800

Often I hear phrases such as "if the application is truly built secure inside-out, then there is no need for other security layers". Truly secure application is a far fetched statement.

1. What is the application made of? - Complexity.

2. How was the application built? - Methodology.

3. Where does the application run? - Environment.

#1. Complexity - Applications are developed using one or more of open source software, third party libraries, re-used libraries (from the past), middleware, database and the run-time environment. In order to develop a truly secure application we need to ensure security in all of these components that go into building the application.

#2. Methodology - The development methodology that is employed to build the application. This brings up several issues: customization work, secure coding practice, outsourced development, offshore development, peer review, development tools, security requirements as a part of the design, source code scanning, threat modelling and penetration testing.

#3. Environment - Application exist in an environment. This brings up several considerations such as operating system, virual operating system(such as VMware), other applications that co-exist with this application, CPU hardware, storage, network and lastly whether the application runs behind the firewall or in the DMZ.

It is overstatement to say that the application built using secure development methodology is secure. All the three factors Complexity, Methodology and Environment should be considered to make a judgement call about application security. The pragmatic approach is to build application that is secure enough that poses risks that are acceptable to business (customer) this is what I would like to call "Application Due Care".

Security is Invisible and Customers won't Pay for Security

RaviC — Fri, 25 Jan 2008 19:06:11 -0800

A few years ago a dentist that I consulted with recommended me Dental Protector for Night Time Teeth Grinding. She mentioned that I grind my teeth during sleep. How in this world can I disprove her statement unless I have some external observer to monitor me all night to validate my teeth grinding!

Security is invisible. Customers are willing to pay for visible software product functionality but not for secure software product development methodology. Unfortunately, most of the security is in the backend, if security works well, truly, it should be "invisible" and the fact that it hidden does not motivate customers to pay anything extra. Security incidents motivate customers to act, this is the time when security becomes visible but the limelight fades away as soon as this incident is handled.

We as security professionals see: the internal mechanics of software security and also can speculate ramification of poor software security in customer deployment. Because we see this we can't expect customers to pay for it. Making security visible to the customer will defeat the whole purpose of security and making it invisible diminishes the value of security. It is a dichotomy that we (as security professionals) have to manage and live with. Customers who notice and are aware of security may start check on of the security aspect of a product before buying it. Unfortunately, security is just one aspect, buying a specific product vs. other products purely based on security is a pipe dream. In the distant future when all products have security built in, security won't be a differentiator anymore and visibility of security will diminish even further.

If security was highly visible, we would find Steve Jobs touting security on stage at MacWorld. May be this is the reality check for security professionals.

Media and Our Mind - Risk is All About Perception

RaviC — Wed, 23 Jan 2008 07:22:32 -0800

Dave has an excellent blog post on how media affects our risk perception. Dave Hitz is the founder of NetApp.

This is the what Dave says:

"A good risk management plan should take into account hurricanes, lost tapes, lost laptops, and maybe even terrorist attacks, but realistically, headlines typically don't highlight the most important risks. You are much more likely to lose data from human error or inadequately tested backup and recovery processes than from floods or attacks, but inadequate processes don't make good headlines. In addition, headlines fade quickly – if something becomes frequent it's often less newsworthy, but the risk remains. Our more sophisticated customers, like financial institutions, build risk management models that already include the items most likely to show up in the headlines, and if they use media reports at all, it's to update some aspect of their model, like the probability of a particular event, or the impact and cost.

In summary, don't worry about terrorists until restore from your nightly backup is well tested. "

More details can be found on his blog here.

An interesting Whitepaper on Web 2.0 Security & Fortify Event

RaviC — Fri, 18 Jan 2008 07:40:36 -0800

I was fortunate to be introduced to a good ex-Microsoft Security person, Shivaram Mysore. He has an interesting whitepaper on Web 2.0 Security. It is worthy read. The whitepaper gives a brief introduction to service models available and aligns your thought process around securing Web 2.0 around these service architectures.

I recently attended the pre-screening of the Information Security documentary titled: The New Face of Cybercrime. The documentary was very nicely done, considering the Director Fredric Golding has no background in Information Security.

The thought leaders panel discussion was very stimulating. Being an analogy person, I liked analogy narrated by Howard Schmidt , Former White House Security Advisor, about evolution of Information Security and evolution of Firefighting. In the past, Firefighting was a reactive approach but these days people factor in the the threat of fire pro-actively into the building design - sprinklers, fire retardant materials and so on. Another panelist Ted Schlein, Managing Partner KPCB, mentioned the security spending is around $12 billion/year vs. the loss due to information security breach is around $100 billion/year - trail of money always sounds interesting to me. There were lots of discussions about Inside-Out vs. Outside-In approach to Information Security.

Thanks to Fortify for putting this event together. I am sure we need more such events should happen amongst the executive crowd to bring a high level of security awareness.

Lastly, I would like conclude this post by quoting the importance of user awareness because user awareness determines the "usage" which is a very important component for a the threat model of an information system. I conclude by repeating the popular quote: "There is no patch for stupidity".

Excellent addition to Information Security Blogging Community

RaviC — Wed, 21 Nov 2007 18:43:11 -0800

My good friend, Muni Tripathi has started blogging on Information Security. You can read his blog about security at:

http://muni-on-security.blogspot.com/

Getting vulnerabilities in the application fixed

RaviC — Sat, 27 Oct 2007 13:20:07 -0700

I have been approached by few security professionals about the problem they encounter in getting software developers to fix the vulnerabilities that is detected in the application.

Let us accept the fact that developers are mostly busy focusing their time and effort on the functionality of application. Most of the time the software development manager gets away by using the busy excuse. One approach that I suggest you could is to rank the vulnerabilities based on "severity" (how bad if the vulnerability is exploited) and "threat" (how likely the vulnerability exploit is) and communicate this list to the software development team. Give the software development manager time to fix the vulnerabilities - usually the time that the software development manager thinks that is acceptable.

If the vulnerabilities are not acted up on despite of your first meeting, then try this route: require the software development manager and the business owner of the application to sign a business risk acceptance form. The risk acceptance form could be as simple as a word document with a list of high severity/threat vulnerabilities and a narrative that states that signatories of the form acknowledge the existence of vulnerabilities (that you communicated) and have accepted the risk (posed by the vulnerabilities) for a time period specified in the form. This way as a security professional you are covered that you did your job in communicating the security risk to the stakeholders. Now that they have signed on the form if something bad event happens the accountability of the event is outside of you.

You may find out that, business risk acceptance form is a good tool to motivate software development manager - would mobilize resources to act on vulnerabilities rather than sign the business risk acceptance form .

Web 2.0 SecureD. DelivereD. :)

RaviC — Sat, 13 Oct 2007 09:29:44 -0700

Web 2.0 has become a well accepted jargon in the current marketplace. It is a set of new web based technologies that enable building of on-line communities.

Web 2.0 is a democracy of user communities [thanks to Paul Graham for his definition]. Web 2.0 gives more power for the users to interact, customize, share and leverage.

The democratization of users bring significant problems.

1. Loss of privacy: Ease of use motivates users to upload personal information. Many users are not aware of ramifications of loss of personal information or they don't even think on those lines. A good example is an employer going through the Facebook entry of a potential hire.

2. Hackers Paradise: New technology brings new vulnerabilities. Hackers are having a party exploiting Web 2.0 based applications. We are more vulnerable with Web 2.0 currently than with Web 1.0.

3. Lots of Junk: Take for example Wikipedia, anyone/anywhere can edit the content [everybody is an expert!]. How can I trust the quality of information? It is not possible to reference Wikipedia in a research paper. Moreover, it puts burden on the users to sift good and bad stuff.

4. Copyright/Intellectual Property Violations: I don't have to say much about this. Web 2.0 provides a platform for such violations and magnifies the impact [Record label sues Napster, Viacom sues Google over YouTube clips].

5. Other Social Problems: People can interact on-line in ways that was not possible before. These new interactions create new set of social problems.

and many more problems that can make my blog post long and boring..

Some of the above aspects can be addressed: for example building web applications securely ground up can help prevent hackers. Designing Web 2.0 application to ensure users use the platform responsibly is a good idea too. Spreading security awareness education to on-line communities can help engender responsible/secure use of the web.

Security should be a feature added to Web 2.0 and let's call Web 2.T3. The "T3" represents the security triad - Confidentiality, Integrity and Availability.

Though security does not address all aspects of Web 2.0. Web 2.T3 surely will be a better place to live.

The Moo Security through Sacredness

RaviC — Wed, 29 Aug 2007 04:30:13 -0700

I am currently in India, attending my dad's health concern. I stay awake at wee hours, still recovering from the jetlag. Cow is considered a sacred animal in India for multitude of reasons:

1. Cow gives milk which is a main source of protien in many parts of India.

2. Diluted cow's milk is given to newly born baby in cases where mom is not lactating hence elevating the status of a cow to that of a mom.

3. Cow's dung can be used as manure and also dried dung cake is used as fuel.

4. Cow's urine is used as a cleansing agent and also for other medicinal purpose.

Cow is considered sacred because of its utility value to common people. Cow roams around in the streets of my hometown freely and they are unharmed because they are sacred. By being sacred, cow is the most secure animal over here.

Security function is considered as an extension of IT, it is an overhead of an overhead - it is not sacred. Security function usually is the foremost to feel the pinch due to IT budget cut. A good way to make security function "secure" is to make it sacred. There are standards like ISO27001, COBIT which are well respected and considered sacred in the security domain. By conformance of security function to such standards we can not only create a perception of "sacredness" for the security program but also communicate value of the program easily through the standard's framework.

Lost laptop = Lost data!

RaviC — Sat, 18 Aug 2007 08:28:15 -0700

Laptop has become our essential travel companion. Lost brand new laptop without personal or company data will result in a loss of current market value of the laptop. Lost laptop with personal or company data can result in a loss which can depend on the value of the "data". It is easier to make amends for the lost laptop but making amends for lost valuable company data or valuable personal data may not be possible.

It is very important for us to be "laptop data aware" i.e. the categories of data it has and the consequences of lost data. A good practice is to treat your laptop like your wallet.

I found these 9 tips on Microsoft website. These tips are really thoughtful and well written and hence I like to repeat it below:

Use these 9 tips to learn how you can keep your laptop more secure when you're on the road.

1.	Avoid using computer bags. Computer bags can make it obvious that you're carrying a laptop. Instead, try toting your laptop in something more common like a padded briefcase or suitcase.
2.	Never leave access numbers or passwords in your carrying case. Keeping your password with your laptop is like keeping the keys in the car. Without your password or important access numbers it will be more difficult for a thief to access your personal and corporate information.
3.	Carry your laptop with you. Always take your laptop on the plane or train rather then checking it with your luggage. It's easy to lose luggage and it's just as easy to lose your laptop. If you're traveling by car, keep your laptop out of sight. For example, lock it in the trunk when you're not using it.
4.	Encrypt your data. If someone should get your laptop and gain access to your files, encryption can give you another layer of protection. With Windows XP and Windows Vista you can choose to encrypt files and folders. Then, even if someone gains access to an important file, they can't decrypt it and see your information. Learn more about how to encrypt your data with Windows XP or encrypt your data with Windows Vista.
5.	Keep your eye on your laptop. When you go through airport security don't lose sight of your bag. Hold your bag until the person in front of you has gone through the metal detector. Many bags look alike and yours can easily be lost in the shuffle.
6.	Avoid setting your laptop on the floor. Putting your laptop on the floor is an easy way to forget or lose track of it. If you have to set it down, try to place it between your feet or against your leg (so you're always aware it's there).
7.	Buy a laptop security device. If you need to leave your laptop in a room or at your desk, use a laptop security cable to securely attach it to a heavy chair, table, or desk. The cable makes it more difficult for someone to take your laptop. There are also programs that will report the location of a stolen laptop. They work when the laptop connects to the Internet, and can report the laptop's exact physical location. Some tracing programs include CyberAngel and ComputracePlus.
8.	Use a screen guard. These guards help prevent people from peeking over your shoulder as you work on sensitive information in a public place. This is especially helpful when you're traveling or need to work in a crowded area. This screen guard from Secure-It is just one example of a screen guard you could use.
9.	Try not to leave your laptop in your hotel room or with the front desk. Too many things have been lost in hotel rooms and may not be completely secure. If you must leave your laptop in your room, put the "do not disturb" sign on the door.

Email is a Practice

RaviC — Fri, 27 Jul 2007 15:50:32 -0700

Being information security professionals, we have obligation to follow good e-mail practice, by this we can operate with due care in our profession and that will make us look good. In my earlier job, colleague of mine [a security expert] had sent me an e-mail describing how he broke the weak encryption of an application. Inadvertantly, in his e-mail, he had pasted his own encrypted password! I showed up at his office and presented this expert his own password. All I did was to follow his advice and write a trivial program to break the cipher. It is very important that we as security professionals should not look or act stupid ;)

Check out this blog post from Marshall Goldsmith "E-Mail Food for Thought". Excerpt from this blog:

"Managers need to worry not just about their own e-mail but also that of their employees. Email is permanent and searchable and can be forwarded as easily to a thousand people as to just one. And the results can range from embarrassing to costly to disastrous. All the goodwill you've built up over years or decades can be destroyed with one bad e-mail from anyone in your organization."

Security Incident Strikes and You are on the Hot Seat..

RaviC — Fri, 27 Jul 2007 07:00:39 -0700

At the risk of sounding like a preacher, I would like to share this short story. Many of us, ACT only when bad news hits the roof and at the point we don’t ACT pragmatically since we did not plan for it! We recently attended a friend’s daughter’s birthday party. Before heading to the party, I printed out the driving directions from the Internet. hit the freeway in the south direction, when the exit arrived found that the exit ramp was closed for repairs. Using common sense, I traveled further south, and took another exit to head North on the same freeway, the exit arrived, but this was blocked too! We did not know how to get to the party and the cake cutting time was approaching. What are my plans for this incident? Luckily I had an AAA map in my glove compartment and I found our way right on time to the cake cutting time. In future I decided wherever I go I have to carry maps or buy a GPS or as a last option ask around.

Security incidents are sometimes a blessing in disguise. It compels you to act. There is a tendency among upper management to blame security team for security incidents. Knee jerk reactions such as CIO firing the CSO or the CSO firing the security team members should be avoided. The facts around the event should be enumerated and the incident should be dealt with pragmatically [refer Pragmatic CSO: Step #8 Contain the Problem]. Security incidents are “breakdowns”. When there is a nasty security incidents here are some facts:

There is a business cost associated with the incident.
There is a vulnerability that has been exploited by a threat agent.
The vulnerability could be:

Unknown
Known but accepted
Known but Ignored

The incident needs to be handled with due care.
Either you have a well defined incident handling plan or you are shooting from your hips [remember P-CSO The Incident Playbook] .

Scenario 1: The vulnerability that resulted in the incident was known and was accepted. Remediation: Deal with the incident and then re-visit the rationale of why this was accepted in the first place. This highlights the importance of documentation such as business risk acceptance form; this will help to cover your rear during security incidents. Make sure to get a business risk acceptance form signed by the business owner. An example is a business owner signs a business risk acceptance form if there is no budget to mitigate the vulnerability.

Scenario 2: The vulnerability that resulted in the incident was an unknown. Remediation: Deal with the incident and create a mitigation plan for this newly known vulnerability going forward.

Scenario 3: The vulnerability that resulted in the incident was ignored. Remediation: Deal with the incident and revisit why the vulnerability was chosen to be ignored in the first place. It may be possible that you end up making a decision of not ignoring this vulnerability.

In all the above scenarios you have to deal with the security incident, this emphasizes the importance of a sound incident handling plan. Putting an incident handling plan is fairly simple. Document what you need to do and whom to escalate to, then communicate the incident management plan to the relevant actors and stick to plan when incident does happen.

Here is simple example of what needs to be done for an Earthquake incident:

- Identify a structurally safe place inside the home to take shelter or identify an open safe place near your house where you can rush

- Decide on a family meeting place, where all family members get together

- Enough food for a week

- Two dozen water bottles etc...

Maslow's heirarchy of security posture?

RaviC — Sun, 08 Jul 2007 17:22:32 -0700

Recently my 3 year old asked me a simple question - "Why do near by objects look big and farther objects look small?" This made me think about blindness that is created by obviousness in our thinking process. "Pride" that we [adults] know more than kids put an end to our constant questioning of our surroundings. "Pride" is one among the 7 deadly sins of Website Vulnerability Disclosure according to Jeremiah. Nice blog post Jeremiah.

I see a Maslow's heirarchy in the evolution of security posture of a company. Each posture is determined by the line of business [type of industry] and the size of business [start-up or mid-size or large publicly traded].

1. Don't Care for Security - These are early stage companies that don't have time for security since they are busy getting their product out. There are mid-size to large companies that demonstrate this posture [at their own risk]. Ironically, early stage or start-up companies should take utmost care in protecting their intellectual property [sensitive data] else they will loose their competitive advantage.

2. Security Exists - These are companies that acknowledge that security is important and realize that some reasonable measure needs to be taken to protect their intellectual property. Websites that have begun e-commerce transaction on their website realize the importance of security of their customers' data, belong to this category. There are companies that have realized the importance of security since customers have started demanding security in their products [Why would you buy a book from a small online book vendor vs. Amazon? A small online vendor has to work harder to convince customers about security]. These are the companies that are drafting a security architecture and working toward Basic Security posture.

3. Basic Security - These are companies that have the knowledge that "Security Exists" and have acted to make sure that there is basic security to protect their intellectual property. These are mostly small to mid-size publicly traded companies. They use layered security approach: Firewall, IDP and Anti-Virus. These companies are not competent in handling security incidents effectively. They have no plans for what if bad stuff happens.

4. Managed Security - These have incorporated dedicated staff to manage the lifecycle of security components. They have the well defined procedures to handle security incidents. There is a small budget allocated to the information security team, but management does not perceive the value of the team. Security is not viewed as a risk management framework for the business.

5. Constantly Improving Security - These are companies that recognize that security posture is a constantly moving target. Senior management is committed to the security program. Security is viewed as a holistic program to mitigate business risk due to information security breach. They have well defined security policies and security procedures. They have security awarenes program for employees. They audit their security practices against standards [such as ISO 27001, COBIT]. These are companies that are ISO 27001 compliant or heading in that direction. They routinely audit security practices, identify non-conformances and act on it to improve and this process goes on and on. These companies tend to be mid-size to large publicly traded companies. Financial institutions strive hard to be in this category. Moreover, companies that are concerned with running an efficient security program employs this model.

Here are some facts around these postures:

1. At the top of the pyramid is posture #5, there is no short-cut to it.

2. There is a cost involved in transitioning from lower posture to the next higher posture.

3. The cost of transitioning increases exponentially as as you advance through the postures.

4. When #5 is attained there is efficiency and economies of scale hence reduces the cost of the security program and reduces business risk significantly at a low cost.

Catch not-so-smart hackers to send message to smart hackers

RaviC — Thu, 10 May 2007 07:00:33 -0700

Hackers interact with software/hardware in order to compromise Confidenitality, Integrity and Availability of software/hardware. The adjective "smart" in the phrase "smart hackers" distinguishes those hackers who can compromise Confidentialy, Integrity and Availability in such a way that they leave minimal or no audit trail.

There are technical controls [tools such as Vontu] available to monitor deviant computer usage of employees of a company. It is extremely difficult to catch a smart-deviant employee. An intelligent alternative is to catch not-so-smart-deviant employee to trigger a warning message to smart-deviant employee - [smart-deviant employee could either become smarter or they could just shut up!]. Typical examples of not-so-smart-deviant employee behaviour are: 1. Sending confidential document to a competitior through an email attachment. 2. FTP'ing confidential document outside of the company. 3. Using webmail to send confidential document.

Mike Rothman's blog post about spammer's using encrypted zip files to tunnel thro' filters demonstrates the brilliance of smart hackers. It is well known truth that HTTP is known as UFBP (Universal Firewall Bypass Protocol). What if a hacker tunnels encrypted data thro' a SOAP container which uses HTTP? It would be extremely hard to catch those extreme cases with technical controls.

Jeremiah's thoughtful blog post about "How to check if your WebMail account has been hacked". A smart hacker who has hacked say your gmail account would not be dumb enough to open a spurious looking email in the first place, moreover they would get around by choosing the option of not displaying images!

Smart hackers get away most of the time. There is no point in spending cycles to catch them. Hope for the good by catching not-so-smart hackers! Do make sure when you catch not-so-smart, it leads to widespread educational opportunity.

The importance of business skills

RaviC — Fri, 27 Apr 2007 07:23:30 -0700

Many information security professionals are very good at doing the right things. They understand the importance of perimeter security, endpoint security, reasonable controls inside and outside to address various threats. Do a hundred good things and one bad thing, you will be remembered for that one bad thing. That is the reality of life and that holds true for infromation security. Typically as you advance in your career you are paid little more money because of:

1. The leverage of scenarios [scenarios aka experential knowledge].

2. Skills and Certifications. Moreover, less time required to acquire new skills

3. Competency. [Translates to lower probability of making mistakes and higher probability of doing it right]

The above are measures of security professional to meet the expectations of the job and does not help in commanding premium pay.

Information security professionals can command premium pay for the following:

A. Knowledge of how security affects business vice-versa.

B. Identify business risks in the realm of information security, qualify and institute control measures.

C. Measure, track information security, communicate value to upper management and across the board .

D. Predict/Prevent bad events and institute plans to handle bad events.

It is not surprising to note that all of the above items are in the domain of business.

Towards the right extreme of the graph you will find Security Directors, Chief Security Officers and Senior Security Consultants. This graph was made to start conversations in the mind of the blog readers so this has to be taken with a grain of salt.

From Self-Defending Networks to Realtime Compliance

RaviC — Wed, 28 Mar 2007 07:03:03 -0700

A while ago the phrase "Self-Defending Network" was popularized by Cisco. I am not sure why I do not hear this phrase often. What's up with that?

Here are reasons why Self-Defending Network is a far-fetched idea:

1. Security is not just technology alone. Security is people, security is process, security is technology.

2. The threats are evolving and moving up the stack. The motive of hackers is financial gain, not ego display as in the past. The exploits are very focused & covert vs. widespread & ostentatious. It is hard for Self-Defending network to identify distinguish a focused & covert traffic from a normal traffic.

3. Network is an ecosystem of software and hardware from multitude of vendors. A Self-Defending Network cannot keep a tab on the vulnerabilities across the board.

4. Number of vulnerabilities is not finite. The permutations and combinations of vulnerabilities add more complexity. Self-Defending Network cannot keep a tab on all those.

5. The components (Firewall, IPS, NAC Et. Al.) of Self-Defending network should evolve synchronously in order to inter-operate and still be effective which is less than likely.

6. Self-Defending network cannot understand your business systems and prioritize risks.

7. Self-Defending Network cannot provide physical security to itself.

and many more..

Building and maintaining a network which can shield network from threats that you perceive as risks to business [within the limits of your budget] is practical.

At RSA 2007 compliance phrases were flying all over, Real-time Compliance, Continuous Compliance, Sustainable Compliance, ad-nauseum. The famous McAfee party was my savior, I downed few glasses of wine and that helped me regain my orientation. Riding back home on the cal-train I was wondering if customers buy vendor phrase or real solution that address their concern. The vendor phrase seems to be an eternal winner.

Website Security

RaviC — Fri, 16 Mar 2007 17:59:11 -0700

Recently I attended a Website Security breakfast event organized by WhiteHat. Security expert Bill Penington talked about the lifecycle of vulnerability. Another Security expert Jeremiah Grossman shared some interesting stats about vulnerabilities in web application. This was an event packed with lot of takeaways and also I met several interesting security professionals.

Here are some salient features about website (or web application) security:

1. Web was not inherently designed to be secure ground up.

2. Platforms are insecure (OS, Database, Applications)

3. Web programming languages are immature.

4. Protection mechanism is non-existent by default.

5. Browsers are riddled with security holes.

6. Web programmers and users make mistakes.

7. Web applications change frequently i.e. they have a shorter release cycles.

8. Business logic vulnerabilities are hard to detect.

Grayware?

RaviC — Wed, 07 Mar 2007 07:11:45 -0800

Very interesting definitions that I found on www.dqchannels.com which I would like to highlight:

'Grayware' is a term that regularly appears on IT and security professionals' radar screens today. An umbrella term applied to a wide range of applications that are installed on a user's computer to track and/or report certain information back to some external source, these applications are usually installed and run without the permission of the user.

Grayware categories

Adware: Adware is usually embedded in freeware applications that users can download and install at no cost. Adware programs are used to load pop-up browser windows to deliver advertisements when the application is open or run.

Dialers: Dialers are grayware applications that are used to control the PC's modem. These applications are generally used to make long distance calls or call premium 900 numbers to create revenue for the thief.

Gaming: Gaming grayware applications are usually installed to provide jokes or nuisance games.

Joke: Joke grayware are applications that are used to change system settings, but do no damage to the system. Examples include changing the system cursor or Windows' background image.

Peer-to-Peer: P2P grayware are applications that are installed to perform file exchanges. (P2P) While P2P is a legitimate protocol that can be used for business purposes, the grayware applications are often used to illegally swap music, movies, and other files.

Spyware: Spyware applications are usually included with freeware. Spyware is designed to track and analyze a user's activity, such a user's web browsing habits. The tracked information is sent back to the originator's Web site where it may be recorded and analyzed. Spyware can be responsible for performance related issues on the user's PC.

Key logger: Key loggers are perhaps one of the most dangerous grayware applications. These programs are installed to capture the keystrokes made on a keyboard. These applications can be designed to capture user and password information, credit card numbers, email, chat, instant messages, and more.

Hijacker: Hijackers are grayware applications that manipulate the Web browser or other settings to change the user's favorite or bookmarked sites, start pages, or menu options. Some hijackers have the ability to manipulate DNS settings to reroute DNS requests to a malicious DNS server.

Plugins: Plugin grayware applications are designed to add additional programs or features to an existing application in an attempt to control, record, and send browsing preferences or other information back to an external destination.

Network management: Network management tools are grayware applications that are designed to be installed to for malicious purposes. These applications are used to change Tools network settings, disrupt network security, or cause other forms of network disruption.

Remote administration tools: These tools are grayware applications that allow an external user to remotely gain access, change, or monitor a computer on a network.

BHO: BHO grayware applications are DLL files that are often installed as part of a software application to allow the program to control the behavior of Internet Explorer. Not all BHOs are malicious, but the potential exists to track surfing habits and gather other information stored on the host.

Toolbar: Toolbar grayware applications are installed to modify the computer's existing toolbar features. These programs can be used to monitor web habits, send information back to the developer, or change the functionality of the host.

Download: Downloaders are grayware applications that are installed to allow other software to be downloaded and installed without the user's knowledge. These applications are usually run during the startup process and can be used to install advertising, dial software, or other malicious code.

About RSA 2007

RaviC — Tue, 06 Mar 2007 07:00:20 -0800

Professor Eugene Spafford has a nice analysis about RSA 2007 conference.

Cost of vulnerability

RaviC — Mon, 05 Mar 2007 21:19:05 -0800

Early in my career, I had this interesting experience that I would like to share. I worked with a software engineer / architect who was extremely brilliant. He was equally arrogant too.

I found a very serious vulnerability in his code where a hacker could easily hijack a user session. I set up a demo scenario for this and walked up to his office to bring this to his attention. His response to my discovery was more amazing than the vulnerability itself. He thumped his clenched fist on the table and avered " My code is bullet proof". By his immature and stupid reaction the architect increased the cost of vulnerability.

I was deeply upset by his remark. Though it could have easily turned into a heated exchange I restrained myself and walked back to my cube. One among the top management happened to pass by my cube, he looked at the demo scenario and exclaimed "this really sucks!". Eventually the vulnerability was acted up on and a fix was deployed on time.

The way you react to a vulnerability determines the cost of the vulnerability. There is no right answer here. Prudent and Pragmatic approach can reduce the cost and preserve company's brand identity.

Providing real security to customers

RaviC — Sat, 17 Feb 2007 07:49:58 -0800

I see two distinctions in the realm of security: security and illusion of security. An example for illusion of security is: you are asked to fill out forms that claim to protect your PII (Personally Identifiable Information), this gives an illusion that your PII is being protected, whether it is actually being protected is a moot point.

1. Banks and other financial institutions have started to use "sitekey" to protect customers from Phishing threat.

2. IE7 has a Phishing filter built into the browser.

3. There are sites like "scandoo" which can help you categorize web sites and eliminate Phishing and Malware web sites.

4. Multitude of other controls built into to existing security tools to prevent Phishing.

Do these controls really prevent a customer from the Phishing threat? Check out this interesting research paper which make us wonder about:

1. How do customers react when "sitekey" is missing?

2. Do customers recognize the warning from the Phishing filter?

3. What % of customers know about the existence of tools such as scandoo?

It all boils down to how the customers embrace the technology design else it is only the illusion of the designer that technology is working the way the designer expected it to.

No wonder despite all these controls the Phishing trend has not reduced.

It is time to realize that providing an illusion of security is not enough. Educating customers to embrace technology for better security holds the key. This may involve significant time, cost and energy but that is the right path toward real security.